Systems for describing unknown access management events using identity tags and related transaction chains

Identity and access management (IAM) is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IAM systems identify, authenticate, and control access for individuals who will be utilizing IT resources, as well as hardware and applications needed for access. IAM covers issues such as how users gain an identity, the roles and, sometimes, the permissions that identity grants, the protection of that identity, and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.). IAM systems, products, applications, and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware, and software applications. This includes identity providers.

The technologies described herein will become more apparent to those skilled in the art from studying the Detailed Description in conjunction with the drawings. Embodiments or implementations describing aspects of the invention are illustrated by way of example, and the same references can indicate similar elements. While the drawings depict various implementations for the purpose of illustration, those skilled in the art will recognize that alternative implementations can be employed without departing from the principles of the present technologies. Accordingly, while specific implementations are shown in the drawings, the technology is amenable to various modifications.

The disclosed technology relates to describing unknown access management events for an identity provider (IDP). In some implementations, the IDP is a service that controls access to a system and its functions by performing access management events—these events include identifying, authenticating, and controlling a user's degree of access to a system, as well as functions performed by other services comprised by the system. In this application, access management events are also referred to as access events, or, simply, “events.” A record of these events is kept for the purpose of preventing fraud, auditing user identities, and building new data-driven services and tools for users of the system. Such services and tools can include Machine Learning (ML) and Artificial Intelligence (AI) applications.

In some implementations, an access event relies on subsidiary Application Programming Interfaces (API) to perform services that are interconnected or interdependent. These subsidiary API services can be referred to as “transactions.” For example, in order for a user to add a new phone line to their profile, a first transaction identifies which user is making the request, a second transaction verifies that the user has the proper authority to be granted that request, a third transaction grants the request, and a fourth transaction notifies the user of the granted request. In such examples, the output from one transaction can serve as the input for one or more other subsidiary APIs. It should be understood that an access management can include more or fewer subsidiary API services, or transactions.

The disclosed technology can provide a solution to the problem presented by current IDP logs, in which the subsidiary API services (i.e., transactions) are either not recorded, or recorded separately. As a result, current IDP logs contain records that are cryptic and unusable to all but a select few experts, and which require a great deal of time and expense to combine the data repositories where transactions are recorded separately. These data repositories are multivarious, comprising their own specific data types, security protocols, APIs, locations, modes of storage, and means of extraction, all of which must be reconciled before the data which they comprise can be combined. The disclosed technology can solve these problems, and others, by continually updating a consolidated record of all transactions performed under an access management event. The disclosed technology can accomplish this by chaining related transactions, and grouping chained transactions according to identity tags. For example, identity tags are related to an originating principal. In an IDP, entities are referred to as principals. Principals can include a person, a user, a subscriber, a computer, a service, or a computational entity, such as a process, or a thread. From the consolidated record of chained transactions with identity tags, the system can create a single comprehensive view of the IDP, arranged chronologically. The single comprehensive view of the IDP can function as a basis for AI and ML applications, for the purpose of continual anomaly detection among access management events, as well as automatic intent prediction, and service recommendation, among others.

The description contained herein, and the associated drawings, are illustrative examples and are not to be construed as limiting. This disclosure provides certain details for a thorough understanding and enabling description of these examples. One skilled in the relevant technology will understand, however, that the invention can be practiced without many of these details. Likewise, one skilled in the relevant technology will understand that the invention can include well-known structures or features that are not shown or described in detail, to avoid unnecessarily obscuring the descriptions of examples.

Wireless Communications System

is a block diagram that illustrates a wireless telecommunication network(“network”) in which aspects of the disclosed technology are incorporated. The networkincludes base stations-through-(also referred to individually as “base station” or collectively as “base stations”). A base station is a type of network access node (NAN) that can also be referred to as a cell site, a base transceiver station, or a radio base station. The networkcan include any combination of NANs including an access point, radio transceiver, gNodeB (gNB), NodeB, eNodeB (eNB), Home NodeB or Home eNodeB, or the like. In addition to being a wireless wide area network (WWAN) base station, a NAN can be a wireless local area network (WLAN) access point, such as an Institute of Electrical and Electronics Engineers (IEEE) 802.11 access point.

The NANs of a networkformed by the networkalso include wireless devices-through-(referred to individually as “wireless device” or collectively as “wireless devices”) and a core network. The wireless devicescan correspond to or include networkentities capable of communication using various connectivity standards. For example, a 5G communication channel can use millimeter wave (mmW) access frequencies of 28 GHz or more. In some implementations, the wireless devicecan operatively couple to a base stationover a long-term evolution/long-term evolution-advanced (LTE/LTE-A) communication channel, which is referred to as a 4G communication channel.

The core networkprovides, manages, and controls security services, user authentication, access authorization, tracking, internet protocol (IP) connectivity, and other access, routing, or mobility functions. The base stationsinterface with the core networkthrough a first set of backhaul links (e.g., S1 interfaces) and can perform radio configuration and scheduling for communication with the wireless devicesor can operate under the control of a base station controller (not shown). In some examples, the base stationscan communicate with each other, either directly or indirectly (e.g., through the core network), over a second set of backhaul links-through-(e.g., X1 interfaces), which can be wired or wireless communication links.

The base stationscan wirelessly communicate with the wireless devicesvia one or more base station antennas. The cell sites can provide communication coverage for geographic coverage areas-through-(also referred to individually as “coverage area” or collectively as “coverage areas”). The coverage areafor a base stationcan be divided into sectors making up only a portion of the coverage area (not shown). The networkcan include base stations of different types (e.g., macro and/or small cell base stations). In some implementations, there can be overlapping coverage areasfor different service environments (e.g., Internet of Things (IoT), mobile broadband (MBB), vehicle-to-everything (V2X), machine-to-machine (M2M), machine-to-everything (M2X), ultra-reliable low-latency communication (URLLC), machine-type communication (MTC), etc.).

The networkcan include a 5G networkand/or an LTE/LTE-A or other network. In an LTE/LTE-A network, the term “eNBs” is used to describe the base stations, and in 5G new radio (NR) networks, the term “gNBs” is used to describe the base stationsthat can include mmW communications. The networkcan thus form a heterogeneous networkin which different types of base stations provide coverage for various geographic regions. For example, each base stationcan provide communication coverage for a macro cell, a small cell, and/or other types of cells. As used herein, the term “cell” can relate to a base station, a carrier or component carrier associated with the base station, or a coverage area (e.g., sector) of a carrier or base station, depending on context.

A macro cell generally covers a relatively large geographic area (e.g., several kilometers in radius) and can allow access by wireless devices that have service subscriptions with a wireless networkservice provider. As indicated earlier, a small cell is a lower-powered base station, as compared to a macro cell, and can operate in the same or different (e.g., licensed, unlicensed) frequency bands as macro cells. Examples of small cells include pico cells, femto cells, and micro cells. In general, a pico cell can cover a relatively smaller geographic area and can allow unrestricted access by wireless devices that have service subscriptions with the networkprovider. A femto cell covers a relatively smaller geographic area (e.g., a home) and can provide restricted access by wireless devices having an association with the femto unit (e.g., wireless devices in a closed subscriber group (CSG), wireless devices for users in the home). A base station can support one or multiple (e.g., two, three, four, and the like) cells (e.g., component carriers). All fixed transceivers noted herein that can provide access to the networkare NANs, including small cells.

The communication networks that accommodate various disclosed examples can be packet-based networks that operate according to a layered protocol stack. In the user plane, communications at the bearer or Packet Data Convergence Protocol (PDCP) layer can be IP-based. A Radio Link Control (RLC) layer then performs packet segmentation and reassembly to communicate over logical channels. A Medium Access Control (MAC) layer can perform priority handling and multiplexing of logical channels into transport channels. The MAC layer can also use Hybrid ARQ (HARQ) to provide retransmission at the MAC layer, to improve link efficiency. In the control plane, the Radio Resource Control (RRC) protocol layer provides establishment, configuration, and maintenance of an RRC connection between a wireless deviceand the base stationsor core networksupporting radio bearers for the user plane data. At the Physical (PHY) layer, the transport channels are mapped to physical channels.

Wireless devices can be integrated with or embedded in other devices. As illustrated, the wireless devicesare distributed throughout the network, where each wireless devicecan be stationary or mobile. For example, wireless devices can include handheld mobile devices-and-(e.g., smartphones, portable hotspots, tablets, etc.); laptops-; wearables-; drones-; vehicles with wireless connectivity-; head-mounted displays with wireless augmented reality/virtual reality (AR/VR) connectivity-; portable gaming consoles; wireless routers, gateways, modems, and other fixed-wireless access devices; wirelessly connected sensors that provide data to a remote server over a network; IoT devices such as wirelessly connected smart home appliances; etc.

A wireless device (e.g., wireless devices) can be referred to as a user equipment (UE), a customer premises equipment (CPE), a mobile station, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a handheld mobile device, a remote device, a mobile subscriber station, a terminal equipment, an access terminal, a mobile terminal, a wireless terminal, a remote terminal, a handset, a mobile client, a client, or the like.

A wireless device can communicate with various types of base stations and networkequipment at the edge of a networkincluding macro eNBs/gNBs, small cell eNBs/gNBs, relay base stations, and the like. A wireless device can also communicate with other wireless devices either within or outside the same coverage area of a base station via device-to-device (D2D) communications.

The communication links-through-(also referred to individually as “communication link” or collectively as “communication links”) shown in networkinclude uplink (UL) transmissions from a wireless deviceto a base stationand/or downlink (DL) transmissions from a base stationto a wireless device. The downlink transmissions can also be called forward link transmissions while the uplink transmissions can also be called reverse link transmissions. Each communication linkincludes one or more carriers, where each carrier can be a signal composed of multiple sub-carriers (e.g., waveform signals of different frequencies) modulated according to the various radio technologies. Each modulated signal can be sent on a different sub-carrier and carry control information (e.g., reference signals, control channels), overhead information, user data, etc. The communication linkscan transmit bidirectional communications using frequency division duplex (FDD) (e.g., using paired spectrum resources) or time division duplex (TDD) operation (e.g., using unpaired spectrum resources). In some implementations, the communication linksinclude LTE and/or mmW communication links.

In some implementations of the network, the base stationsand/or the wireless devicesinclude multiple antennas for employing antenna diversity schemes to improve communication quality and reliability between base stationsand wireless devices. Additionally or alternatively, the base stationsand/or the wireless devicescan employ multiple-input, multiple-output (MIMO) techniques that can take advantage of multi-path environments to transmit multiple spatial layers carrying the same or different coded data.

In some examples, the networkimplements 6G technologies including increased densification or diversification of network nodes. The networkcan enable terrestrial and non-terrestrial transmissions. In this context, a Non-Terrestrial Network (NTN) is enabled by one or more satellites, such as satellites-and-, to deliver services anywhere and anytime and provide coverage in areas that are unreachable by any conventional Terrestrial Network (TN). A 6G implementation of the networkcan support terahertz (THz) communications. This can support wireless applications that demand ultrahigh quality of service (QOS) requirements and multi-terabits-per-second data transmission in the era of 6G and beyond, such as terabit-per-second backhaul systems, ultra-high-definition content streaming among mobile devices, AR/VR, and wireless high-bandwidth secure communications. In another example of 6G, the networkcan implement a converged Radio Access Network (RAN) and Core architecture to achieve Control and User Plane Separation (CUPS) and achieve extremely low user plane latency. In yet another example of 6G, the networkcan implement a converged Wi-Fi and Core architecture to increase and improve indoor coverage.

5G Core Network Functions

is a block diagram that illustrates an architectureincluding 5G core network functions (NFs) that can implement aspects of the present technology. A wireless devicecan access the 5G network through a NAN (e.g., gNB) of a RAN. The NFs include an Authentication Server Function (AUSF), a Unified Data Management (UDM), an Access and Mobility management Function (AMF), a Policy Control Function (PCF), a Session Management Function (SMF), a User Plane Function (UPF), and a Charging Function (CHF).

The interfaces N1 through N15 define communications and/or protocols between each NF as described in relevant standards. The UPFis part of the user plane and the AMF, SMF, PCF, AUSF, and UDMare part of the control plane. One or more UPFs can connect with one or more data networks (DNs). The UPFcan be deployed separately from control plane functions. The NFs of the control plane are modularized such that they can be scaled independently. As shown, each NF service exposes its functionality in a Service Based Architecture (SBA) through a Service Based Interface (SBI)that uses HTTP/2. The SBA can include a Network Exposure Function (NEF), an NF Repository Function (NRF), a Network Slice Selection Function (NSSF), and other functions such as a Service Communication Proxy (SCP).

The SBA can provide a complete service mesh with service discovery, load balancing, encryption, authentication, and authorization for interservice communications. The SBA employs a centralized discovery framework that leverages the NRF, which maintains a record of available NF instances and supported services. The NRFallows other NF instances to subscribe and be notified of registrations from NF instances of a given type. The NRFsupports service discovery by receipt of discovery requests from NF instances and, in response, details which NF instances support specific services.

The NSSFenables network slicing, which is a capability of 5G to bring a high degree of deployment flexibility and efficient resource utilization when deploying diverse network services and applications. A logical end-to-end (E2E) network slice has pre-determined capabilities, traffic characteristics, and service-level agreements and includes the virtualized resources required to service the needs of a Mobile Virtual Network Operator (MVNO) or group of subscribers, including a dedicated UPF, SMF, and PCF. The wireless deviceis associated with one or more network slices, which all use the same AMF. A Single Network Slice Selection Assistance Information (S-NSSAI) function operates to identify a network slice. Slice selection is triggered by the AMF, which receives a wireless device registration request. In response, the AMF retrieves permitted network slices from the UDMand then requests an appropriate network slice of the NSSF.

The UDMintroduces a User Data Convergence (UDC) that separates a User Data Repository (UDR) for storing and managing subscriber information. As such, the UDMcan employ the UDC under 3GPP TS 22.101 to support a layered architecture that separates user data from application logic. The UDMcan include a stateful message store to hold information in local memory or can be stateless and store information externally in a database of the UDR. The stored data can include profile data for subscribers and/or other data that can be used for authentication purposes. Given a large number of wireless devices that can connect to a 5G network, the UDMcan contain voluminous amounts of data that is accessed for authentication. Thus, the UDMis analogous to a Home Subscriber Server (HSS) and can provide authentication credentials while being employed by the AMFand SMFto retrieve subscriber data and context.

The PCFcan connect with one or more Application Functions (AFs). The PCFsupports a unified policy framework within the 5G infrastructure for governing network behavior. The PCFaccesses the subscription information required to make policy decisions from the UDMand then provides the appropriate policy rules to the control plane functions so that they can enforce them. The SCP (not shown) provides a highly distributed multi-access edge compute cloud environment and a single point of entry for a cluster of NFs once they have been successfully discovered by the NRF. This allows the SCP to become the delegated discovery point in a datacenter, offloading the NRFfrom distributed service meshes that make up a network operator's infrastructure. Together with the NRF, the SCP forms the hierarchical 5G service mesh.

The AMFreceives requests and handles connection and mobility management while forwarding session management requirements over the N11 interface to the SMF. The AMFdetermines that the SMFis best suited to handle the connection request by querying the NRF. That interface and the N11 interface between the AMFand the SMFassigned by the NRFuse the SBI. During session establishment or modification, the SMFalso interacts with the PCFover the N7 interface and the subscriber profile information stored within the UDM. Employing the SBI, the PCFprovides the foundation of the policy framework that, along with the more typical QoS and charging rules, includes network slice selection, which is regulated by the NSSF.

Describing Unknown Access Management Events Using Identity Tags and Related Transaction Chains

is a block diagram that illustrates a systemfor contextualizing access management eventswith identity tags and related transaction chains. In some implementations, the systemcan accomplish this by monitoring transactionsperformed by layersof an Identity Provider service (IDP)for an unknown access management event. Each layercan correspond to a separate Application Programming Interface (API) with its own distinct functionality in the IDP.

For example, the transactionscan include identification, authentication, adjusting a degree of access to the system, and creating a record of the result and of a user associated with the unknown access management event. In some implementations, the systembelongs to a network. For example, the networkcan be a telecommunications network. The user can access the systemvia an electronic device. The user can perform the unknown access management eventusing the electronic device, which can be communicated to the networkusing one or more network access nodesand. In some implementations, the electronic devicecommunicates with a satellitein order to perform the unknown access management event(e.g., verifying user location).

is a block diagram that illustrates components of a systemfor capturing, tagging, and chaining output from transactionsperformed by API layersof an IDP. One purpose of these operations is to describe access management events that include a common purpose for a grouping of chained related transactions, as well as a result and an identity associated with a user who either performs the access management event, or on whose behalf a system expert performs the access management event. In some implementations, the layerscan include built-in hooks. The built-in hookscan be configured to stream output from transactions.

In some implementations, the systemcaptures output from the layersin a dynamic recordof transactions. For example, the output for each transactionincludes a timestamp, a nameof a layerthat performed the transaction, and a principalresponsible for calling the layer. The output from the layerscan be streamed to the dynamic recordof transactionsusing the built-in hooks.

In some implementations, the systemdetermines related transactionsin the dynamic recordby tagging the output for each transactionwith identity tagsbased on the principals. For example, the transactionscan be grouped based on common identity tags. Identity tags can include usernames, IDs, or other unique information associated with a single entity or subscriber to the telecommunications network. The transactionscan include user identification, authentication, and granting access to the user to select functions of the 5G Core Network illustrated in.

In some implementations, the principalsinclude source information. The source information can include a user ID, a session ID, a relational ID, a device type, a device ID, an IP address, or a client ID, or any combination or subset of the foregoing. In some implementations, tagging the output for each transaction with identity tags based on the principalsalso includes parsing the principals for source information. For example, parsing the principalsfor source information includes determining user profiles that match the source information. This can include searching for the source information in a user profile index or an identity system. In some implementations, the user profiles include identifying information. The systemcan determine identity tagsfrom the identifying information.

In some implementations, the systemchains the related transactions into a list of chained transactionsby comparing identity tagsand timestamps. For example, the systemcan determine an order for the list of chained transactionsbased on proximate timestamps(e.g., the systemcan order the list of chained transactionsfrom first to last).

is a block diagram that illustrates components of a systemfor describing an unknown access management eventusing identity tags and related transaction chains. In some implementations, the systemdescribes an unknown access management eventbased on the namesof the layersof the transactionsof the list of chained transactions.

In some implementations, the names of the layers that performed the transactions are an intention input. For example, determining the access management eventcan include providing the names of the layers that performed the transactions as the intention input to an intention prediction model. The intention prediction model can be trained to output predicted intentions based on names of layers provided as intention inputs. In some implementations, the systemdetermines a predicted intention from the intention input. For example, the predicted intention can include a common purpose for the transactions, and the systemcan determine the access management eventbased on the common purpose and the identity tags. The intention prediction model can be trained by systemdomain experts based on historical logs of transactions. Such historical logs can include the names of transactions arranged into ordered chains, such as the chained lists of related transactions. Each ordered chain of transactions can be associated with an access management event defined by the domain experts.

In some implementations, the systemgenerates a descriptionof the access management event, using a modeltrained to output descriptionsbased on chained transactionsprovided as input. The modelcan be a language model, a large language model (LLM), a deep learning model, or a neural network. The modelcan include convolutional layers, hidden layers, Long Short Term Memory layers, Transformers, or other attention mechanisms, or any combination of the foregoing.

In some implementations, determining the description of the access management eventincludes organizing the list of chained transactionsinto a hierarchically nested set of feature-value pairs. The hierarchically nested set of feature-value pairscan include features that are descriptive of the access management event, and values that correspond to the features for each transaction. For example, the hierarchically nested set of feature-value pairscan act as a description input for the model.

In some implementations, the systemgenerates the descriptionfor display to an auditor in a single comprehensive viewof the IDP. The single comprehensive viewcan be updated as new output is streamed to the dynamic recordof transactions. The descriptioncan provide context for the access management eventby identifying a userbased on the identity tagsand a resultbased on the access management event.

In some implementations, the single comprehensive viewincludes a historical record of previous descriptionsof other access management events performed by the user. For example, generating the descriptionfor display can include comparing the values of the hierarchically nested set of feature-value pairsagainst past values of the same features taken from the previous descriptions. The past values can be based on past resultsof previous transactions resulting from prior unknown access management events in the IDP. The systemcan determine differences between the past values and the values of the current access management event, and revise the common purpose of the descriptionbased on the differences. For example, a user who frequently provides incorrect passwords when attempting to login from a device with a particular device ID, or a device ID that is associated with their user profile but is not their main device, may have their description revised from being a “potential fraud alert” to being a “failed login.” In another example, the historical record of previous descriptionsincludes a data-before field, a data-change field, and a data-after field. The system can identify a change in the data-change field, compare that change from the data-after field to the data-before field, and determine differences between the data-after field and the data-before field based on the change.

is a flowchart that illustrates a methodto contextualize access management events with identity tags and related transaction chains. The methodincludes monitoring API transactions for an unknown event (step). In some implementations, the API transactions include hooks for streaming output.

The methodincludes capturing output from the API transactions in a dynamic record (step). In some implementations, the output includes timestamps, API names, and principals. For example, the output can be captured by streaming the API transactions to the dynamic record using the hooks. The principals can include source information, which in turn can include user ID, session ID, relational ID, device type, device ID, IP address, or client ID.

The methodincludes determining related transactions by tagging the transactions with identity tags based on the principals (step). In some implementations, tagging can include parsing the principals for source information and determining profiles that match the source information. The profiles can be included within a profile index hosted by a telecommunications network or by a third-party contracted to the telecommunications network. Each profile of the profiles can correspond to a user or a subscriber of the telecommunications network. For example, users and subscribers can include individuals, families, corporations, companies, or trusts. In some implementations, the profiles include information that identifies the user or subscriber that corresponds to the profiles. Matches can be determined by searching for source information in the profile index. Tags can be determined from the identifying information found in the matching profiles.

The methodincludes grouping transactions based on common tags (step). The methodincludes chaining the related transactions into a list of chained transactions having an order by comparing tags and timestamps and determining proximate timestamps (step). The methodincludes determining a prediction of the unknown event by providing the API names in the order of the chained transactions as an input to a model trained to output predicted events based on ordered API names (step). In some implementations, predicting the unknown event includes providing the API names as an input to an intention prediction model trained to output predicted intentions based on API names provided as input. The methodcan include determining the prediction of the unknown event based on the chained transactions and identity tags.

The methodincludes generating a description of the unknown event using a model trained to output descriptions based on predicted events (step). In some implementations, the methodincludes generating the description for display to a user in a single view. The description can identify a user and a result based on the prediction.

Computer System

is a block diagram that illustrates an example of a computer systemin which at least some operations described herein can be implemented. As shown, the computer systemcan include: one or more processors, main memory, non-volatile memory, a network interface device, a video display device, an input/output device, a control device(e.g., keyboard and pointing device), a drive unitthat includes a machine-readable (storage) medium, and a signal generation devicethat are communicatively connected to a bus. The busrepresents one or more physical buses and/or point-to-point connections that are connected by appropriate bridges, adapters, or controllers. Various common components (e.g., cache memory) are omitted fromfor brevity. Instead, the computer systemis intended to illustrate a hardware device on which components illustrated or described relative to the examples of the figures and any other components described in this specification can be implemented.

The computer systemcan take any suitable physical form. For example, the computing systemcan share a similar architecture as that of a server computer, personal computer (PC), tablet computer, mobile telephone, game console, music player, wearable electronic device, network-connected (“smart”) device (e.g., a television or home assistant device), AR/VR systems (e.g., head-mounted display), or any electronic device capable of executing a set of instructions that specify action(s) to be taken by the computing system. In some implementations, the computer systemcan be an embedded computer system, a system-on-chip (SOC), a single-board computer system (SBC), or a distributed system such as a mesh of computer systems, or it can include one or more cloud components in one or more networks. Where appropriate, one or more computer systemscan perform operations in real time, in near real time, or in batch mode.